From 29c791c90e34a910350aa95dccf6358fa45ed1de Mon Sep 17 00:00:00 2001 From: David Yu <dyu@hashicorp.com> Date: Mon, 29 Nov 2021 12:37:14 -0800 Subject: [PATCH] docs: Notes about WAN Federation when using Vault as Connect CA (#11143) * docs: Notes about WAN Federation when using Vault as Connect CA * Apply suggestions from code review Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * Update website/content/docs/connect/ca/vault.mdx Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * Update website/content/docs/connect/ca/vault.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update website/content/docs/connect/ca/vault.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> * Update vault.mdx * Update vault.mdx Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/connect/ca/vault.mdx | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/website/content/docs/connect/ca/vault.mdx b/website/content/docs/connect/ca/vault.mdx index c6dd47a794..3929c43ee0 100644 --- a/website/content/docs/connect/ca/vault.mdx +++ b/website/content/docs/connect/ca/vault.mdx @@ -120,16 +120,21 @@ The configuration options are listed below. exist, Consul will mount a new PKI secrets engine at the specified path with the `RootCertTTL` value as the root certificate's TTL. If the `RootCertTTL` is not set, a [`max_lease_ttl`](https://www.vaultproject.io/api/system/mounts#max_lease_ttl) - of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later. - - Prior to Consul 1.11, the root certificate TTL was set to 8760 hour, or 1 year, and - was not configurable. + of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later. Prior to Consul 1.11, + the root certificate TTL was set to 8760 hour, or 1 year, and was not configurable. + The root certificate will expire at the end of the specified period. + + When WAN Federation is enabled, each secondary datacenter must use the same Vault cluster and share the same `root_pki_path` + with the primary datacenter. - `IntermediatePKIPath` / `intermediate_pki_path` (`string: <required>`) - The path to a PKI secrets engine for the generated intermediate certificate. This certificate will be signed by the configured root PKI path. If this path does not exist, Consul will attempt to mount and configure this - automatically. + automatically. + + When WAN Federation is enabled, every secondary + datacenter must specify a unique `intermediate_pki_path`. - `CAFile` / `ca_file` (`string: ""`) - Specifies an optional path to the CA certificate used for Vault communication. If unspecified, this will fallback